[Idle-dev] IDLE's save-before-run requirement

Guido van Rossum guido@digicool.com
Wed, 20 Jun 2001 15:24:48 -0400


> I once asked about something like this.  I believe right now
> IDLE, at least, is not constructed in such a way that it
> would be easy to rip out the Tkinter dependence so it could
> be changed to something else, either permanently or for
> plug-replacable graphics toolkits.
> 
> I wonder how much work that really would be, and if anybody
> has any interest in it.  Not sure if there's really enough
> value to be gained to make it worthwhile.
> 
> Mats

Well, once I check in my subprocess code, you will be able to use IDLE
to edit and run code using any GUI toolkit you have available.  (It
should also be possible to use Jython as the subprocess, although I'm
not going to enable that.)

Here's my dilemma.

I have a somewhat working "remote" mode, which executes commands in a
subprocess.  However, it's got a HUUUUUUGE security hole.  The
subprocess acts as a server, and the first client to connect to it
will get to execute arbitrary Python code in the subprocess.  It is
the intention that the IDLE main program is this client, but how can
we be sure?  Someone who knew you were starting IDLE could try to
hijack the subprocess and would then have all your permissions.  If
they tried enough times they would likely be successful.

The parent could pass some kind of random number to the subprocess,
but I know about this approach that unless you have a source of truly
random bits, it's relatively easy for the bad guy to guess the what
your pseudo-random number generator will come up with, and I just
don't want to release code with such a huge security problem.

I am begging for someone else to help me solve this problem.  Telling
me "just check it in" won't do -- I will not release code with a known
security hole.

The remote mode is a lot slower too, when there's a lot of output
being produced.  But I wouldn't mind releasing that. :-)

--Guido van Rossum (home page: http://www.python.org/~guido/)